SECURITY

Security at
Zyrix.

How we protect your payment data, merchant accounts, and customer transactions across every layer of our infrastructure.

🔒

PCI DSS Level 1

The highest level of payment card industry certification. All cardholder data is processed on PCI DSS Level 1 certified infrastructure.

🛡️

SSL/TLS 1.3

All data in transit is encrypted using TLS 1.3 — the latest and most secure transport encryption standard.

🔐

AES-256 Encryption

All data at rest is encrypted using AES-256. Encryption keys are managed using Hardware Security Modules (HSMs).

🏢

SOC 2 Type II

Our infrastructure undergoes independent SOC 2 Type II audits covering security, availability, and confidentiality.

Security Practices

Infrastructure Security

  • Multi-region cloud infrastructure with automatic failover
  • Network segmentation and Web Application Firewall (WAF)
  • DDoS protection with automatic traffic scrubbing
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Regular penetration testing by independent security firms
  • 24/7 Security Operations Center (SOC) monitoring

Data Security

  • AES-256 encryption for all stored data
  • We never store raw card numbers — only tokenized references
  • Hardware Security Modules (HSMs) for key management
  • Database-level encryption with row-level access controls
  • Automated backup with encrypted storage in multiple regions
  • Data residency options for KVKK and GDPR compliance

Access Control

  • Role-based access control (RBAC) for all Zyrix staff
  • Multi-factor authentication (MFA) required for all internal systems
  • Zero-trust network architecture — no implicit trust
  • Privileged Access Management (PAM) for infrastructure access
  • All admin access logged and audited
  • Automatic session expiry after inactivity

API Security

  • HMAC-SHA256 request signing for all API calls
  • Webhook signature verification to prevent payload tampering
  • Rate limiting per API key to prevent abuse
  • IP allowlisting available for enterprise merchants
  • API key rotation with zero-downtime key cycling
  • Separate live and test environment API keys

Fraud Prevention

  • Real-time transaction screening using ML fraud models
  • Velocity checks and anomaly detection per merchant
  • 3D Secure 2.0 authentication for card payments
  • BIN (Bank Identification Number) validation
  • Device fingerprinting and behavioral analytics
  • Sanctions and PEP screening for all counterparties

Incident Response

In the event of a security incident or data breach, Zyrix follows a structured incident response plan:


Detection: Automated monitoring alerts trigger within minutes of anomaly detection

Containment: Affected systems are isolated within 15 minutes of confirmed breach

Notification: Relevant regulatory authorities are notified within 72 hours as required by KVKK and GDPR

Merchant notification: Affected merchants are notified without undue delay

Post-incident review: Root cause analysis and remediation within 30 days

Responsible Disclosure

If you discover a security vulnerability in Zyrix's platform, we ask that you report it responsibly. Please email security@zyrix.co with details of the vulnerability. We commit to:


• Acknowledge receipt within 24 hours

• Provide a status update within 5 business days

• Not pursue legal action against good-faith security researchers

• Credit researchers in our security acknowledgments (with permission)

Security Contact

security@zyrix.co

For non-emergency security questions, please use our standard support channel: support@zyrix.co